Mehmet Can Cömert created NET-738:
-------------------------------------
Summary: Ftp Client is no longer working with HTTP Proxies
Key: NET-738
URL: https://issues.apache.org/jira/browse/NET-738
Project: Commons Net
Issue Type: Bug
Components: FTP
Affects Versions: 3.11.1
Reporter: Mehmet Can Cömert
Hello,
we have following setup for the FTP Server communication:
FTP Client is installed in a machine where direct Internet access is prohibited.
We need to connect to a FTP Server which is only accesable via HTTP PROXY.
When FTP Client creates the command connection, it can succesfully communicate
with the FTP Server.
Afterwards, requesting of a directory listing (MLSD) is also communicated over
Http PROXY.
However, as FTP Client tries to open the data connection, it gets the IP
address and high port for the PASSIVE mode in the reply.
During parsing the reply, FTP Client tries to resolve the IP Address of the FTP
Server by utilizing the socket, which is behind a PROXY and therefore returns
the IP address of the PROXY.
https://github.com/apache/commons-net/blob/master/src/main/java/org/apache/commons/net/ftp/FTPClient.java#L883
Finally we get a data connection attempt to PROXY with: IP address of the PROXY
+ high port from FTP Server.
instead of IP address of the FTP Server + high port from FTP Server
(opening command connection over PROXY was working with: hostname of the FTP
Server + port 21)
Which results with Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403
Forbidden"
2025-10-01T11:22:30.424Z ERROR Unable to tunnel through proxy. Proxy returns
"HTTP/1.1 403 Forbidden"
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1
403 Forbidden"
at
java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling0(HttpURLConnection.java:2312)
at
java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2182)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at
java.base/java.net.HttpConnectSocketImpl.doTunneling(HttpConnectSocketImpl.java:206)
at
java.base/java.net.HttpConnectSocketImpl.doTunnel(HttpConnectSocketImpl.java:195)
at
java.base/java.net.HttpConnectSocketImpl$2.run(HttpConnectSocketImpl.java:175)
at
java.base/java.net.HttpConnectSocketImpl$2.run(HttpConnectSocketImpl.java:173)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at
java.base/java.net.HttpConnectSocketImpl.privilegedDoTunnel(HttpConnectSocketImpl.java:172)
at
java.base/java.net.HttpConnectSocketImpl.connect(HttpConnectSocketImpl.java:119)
at java.base/java.net.Socket.connect(Socket.java:633)
at
org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:785)
at
org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:664)
at
org.apache.commons.net.ftp.FTPClient.initiateMListParsing(FTPClient.java:2103)
at org.apache.commons.net.ftp.FTPClient.mlistDir(FTPClient.java:2557)
at org.apache.commons.net.ftp.FTPClient.mlistDir(FTPClient.java:2545)
We assume if a PROXY is used there should be no attempt to resolve the IP
Address on the FTP Client side and response from the Server should be used.
We have seen that, because of NAT considirations, FTP Client is replacing the
reported FTP Server IP Address from the PASV response with the IP Address of
the Socket. This is fine without PROXY.
However in a situation where PROXY is present, FTP Client instruct the PROXY to
connect to itself for the data connection, which only works if the PROXY is
running on the same host as the FTP Server :)
Do you have any other use case that may require FTP Client to resolve IP
Address of a FTP Server accesable behind a PROXY?
If not, can the FTP Client changed to respect the PASV response from the FTP
Server when a PROXY is utilized?
We are avare that this approach would not work if both PROXY is utilized and
the FTP Server is behind NAT and FTP Server is reporting its internal IP
Address in the PASV response.
However we do not see any way to mitigate that as in this constallation the
external IP Address of the FTP Server remains unknown to FTP Client. Such a
setup does not look like a resolvable problem :(
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
